[Snort-sigs] SID 221 DDOS TFN Probe

dbs brandon at ...2588...
Fri Jun 25 06:53:07 EDT 2004


 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Is this signature correctly configured to alert when an external host
is probing a "HOME_NET" for TFN clients?  I have noticed this rule
alerting on my network, lately.  Having heard of the TFN DDOS before,
I decided to look into it.  From what I understand about the TFN DDOS
Probe, shouldn't this rule be looking at the ICMP/ID "i.e.
icmp_id:678" instead of looking at the IPID "i.e id:678"?  In
addition, the "Detailed Summary:" listed on
http://www.snort.org/snort-db/sid.html?id=221If  states, "The TFN
DDoS uses a tiered structure of compromised hosts to coordinate and
participate in a distributed denial of service attack. At the highest
level, attackers communicate with clients to launch attacks. An
attacker may probe for TFN clients using an ICMP echo request with an
ICMP identification number of 678 and a string of "1234" in the
payload."   

I would like to draw your attention to the last sentence, "An
attacker may probe for TFN clients using an ICMP echo request with an
ICMP identification number of 678 and a string of "1234" in the
payload."
Is this rule misconfigured or am I incorrect and misguided, I welcome
any insight.   

alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"DDOS TFN Probe";
id:678; itype:8; content:"1234"; reference:arachnids,443;
classtype:attempted-recon; sid:221; rev:3;) 




Fingerprint:  
AB56 1637 13F5 9FF8 2F0B  7147 F20D 21CB 5728 FEAE

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.0.3

iQA/AwUBQNvqEvINIctXKP6uEQKpGgCggghXCsiEYM0wMscONFet7WnEJZsAoIsx
UEfHRxQfr6ueEpmnP6vlYJC3
=A4XP
-----END PGP SIGNATURE-----






More information about the Snort-sigs mailing list